Product serialization: The ease of falsifying serialized codes

Amid increasing use of serialized codes to prevent illicit medicines getting into the hands of patients, the limitations of this approach should not be ignored, writes Tim Marsh.

As we pass the midpoint of the second decade of this century we’re seeing an unprecedented trend in efforts to secure the global supply chain of medicines and medical devices.

A popular tool in the toolbox of regulators and brand owners is of course individual unit of sale serialization, which imparts uniqueness to every item. Regulators, politicians and brand owners are placing a lot of faith in the addition of serialized codes to products in reducing or eliminating fakes.

Regulation is forcing greater adoption of serialization even though it has been used for decades to identify individual items. In most cases historical use was to improve the accuracy and efficiency of internal and/or business to-business (B2B) transactions.

It is clear that adding unit-level traceability provides stakeholders and consumers an ability to understand what is real or fake from a packaging perspective. It also has been proven to be effective in identifying diversion whether illegal or simply in breach of supply and marketing contracts. However, there is a significant weakness of current approaches to serialization which should be considered.

An obstacle to more widespread adoption has been that the serialized data and the data carriers were generally proprietary solutions not meant for end to end supply chain participant adoption and use. This has been largely overcome by the gravitation towards the GS1 Global Trade Identification Number (GTIN) and the GS1 datamatrix carrier. A majority of stakeholders are using or planning to use GS1 standards for compliance and commercial reasons.

The weakest visible element to the current trend in healthcare serialization is this data and data carrier on the individual item. The justification for using unsecured data within a 2D carrier are sound – supply chain efficiency must be maintained and the best way to do that is for all to agree to use open and globally interoperable standards. At the current rate I don’t see possibility for secured data in a secured data carrier to win adoption across regulators and brand owners. At least not in healthcare.

But you may point out in the regulations for healthcare in particular the strength was never to be in the data and data carrier. And lest we forget regulation in this regard is generally structured for an end game that enables regulators to seize, quarantine and eventually prosecute.

The strength in the system is to come from the database where the valuable ownership and event information of each item is stored. Yes, the strength comes from the databases which will be a ripe new target for sophisticated counterfeiters. Let's not forget HaaS, or Hacking as a Service. This is a very real thing and leads us to conclude counterfeiters do not have to be that sophisticated. They can contract for the skills needed to hack in and falsify event and chain of ownership records.

Let’s assume for a moment the trend continues, capabilities are enabled and serialization use and serialization data are pervasive. The counterfeiters don’t need to worry about those databases for years. Thinking realistically about this it will be another decade before they are not only up and running, but have full adoption by all stakeholders.

Making fake versions of 2D serialized codes is child’s play for counterfeiters. I’ve seen them in my prior work at Pfizer. But you say, “we’re going to randomize our serial numbers for added security.” For the time being counterfeiters won’t even need to guess at the randomization algorithms. With the lack of system connectivity that will persist for another 10 years they only have to guess well, not accurately. If it looks real in the absence of instant system verification back to the manufacturer it will be deemed real and moved along the chain.

I also don’t put much stock in randomization under current industry methods because it’s not possible to get what would be regarded as strong encryption into a serial number when limited to using the GS1 standards. Enter in your HaaS to take a representative sample of your randomized numbers and voila! - accurately generated serial numbers - some of which will appear authentic against the original system of record at the manufacturer.

There is no question that serialization is a powerful and effective component of a supply chain security strategy. We just need to be mindful of its weaknesses and design our systems with additional security layers to compensate.